Data Security

Executive Summary

In an increasingly digital world, a daily battle is being waged over the safety of internet users’ data. The 3.9 billion people who use the Web to shop, invest, communicate with friends or interact with healthcare providers are constantly providing personal information that can offer entry points to their financial assets, health histories and credit records. The cyberthieves working to steal this data are increasing in number and sophistication, as recent online attacks demonstrate. Some hackers offer their stolen wares for sale on the so-called Dark Web; others seek to extort money from victims by, in effect, making them buy back their own data. “Cybercriminals are evolving and pushing the boundaries,” one analyst said. In response, companies are strengthening security measures and governments at all levels are imposing new rules to contain the threat.

Here are some key takeaways:

Hacking has morphed from a lone-wolf activity to a full-blown corporate enterprise.

The average cost of a data breach to an individual company is $3.62 million, and the global cost of cybercrime is projected to reach $6 trillion by 2021.

Banking and health care are among the favorite targets of cybercriminals because these industries gather so much valuable personal information.

Schneier, Bruce, “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World,” W.W. Norton & Company, Inc., 2015. Schneier, chief technology officer at Resilient Systems Inc. and a fellow at the Berkman Center for Internet and Society at Harvard Law School, writes an overview of privacy and security that documents how private citizens are dissected by both corporations and government through their online data.

Articles

“WannaCry: Ransomware attacks show strong links to Lazarus group,” Symantec, May 22, 2017, http://tinyurl.com/mwn8c4q. Security experts believe Lazarus is behind the WannaCry ransomware that locked up 300,000 computers in 150 nations in May 2017 and several other cyberattacks, including a raid on the central bank of Bangladesh.

Choe, Sang-Hun, “North Korea Tries to Make Hacking a Profit Center,” The New York Times, July 27, 2017, http://tinyurl.com/y8ctpq9z. North Korea has trained the nation’s hackers not only to steal other countries’ secrets, but to pursue their cash as well.

Greenberg, Andy, “The WannaCry Ransomware Hackers Made Some Real Amateur Mistakes,” Wired, May 15, 2017, http://tinyurl.com/ml8d4fc. The hackers behind the recent WannaCry malware attack made a number of key errors that helped make the attack a “catastrophic failure” from a ransom perspective.

Hay Newman, Lily, “Medical Devices Are the Next Security Nightmare,” Wired, March 2, 2017, http://tinyurl.com/znulb88. Many pacemakers and other implanted medical devices are vulnerable to cyberattack, offering hackers yet another way to extort money and steal medical information.

Johnson, Tim, “How The Dark Overlord is costing U.S. clinics big time with ransom demands,” Miami Herald, May 15, 2017, http://tinyurl.com/yataul74. Ransomware attacks by The Dark Overlord hacking group have created havoc at large and small medical facilities across the country.

Merica, Dan, “The life and death of Trump’s ‘cyber security unit’ plan with Putin,” CNN, July 10, 2017, http://tinyurl.com/y9faxxol. The Trump administration retreated from the president’s proposal to cooperate with Russian President Vladimir Putin on cybersecurity after the proposal was widely criticized.

Reports and Studies

“2016 Financial Industry Cybersecurity Research Report,” Security Scorecard, August 2016, http://tinyurl.com/ya9q7dwe. The cybersecurity report documents the extent to which the healthcare and financial services industries are targeted by hackers and the vulnerabilities of both industries.

“Code Blue: Why Healthcare Organizations Are Facing More Cyber Attacks, And What They Can Do About It,” FireEye, 2015, http://tinyurl.com/yawvgwmw. A cybersecurity firm analyzes why the healthcare industry and the data it collects have become attractive targets for hackers.

“Cybersecurity and Financial Stability: Risks and Resilience,” Office of Financial Research, U.S. Treasury Department, Feb. 15, 2017, http://tinyurl.com/y9w277xm. An independent bureau within the Treasury Department, created in 2010 to assess risks to the nation’s financial system, looks at how cyberattacks threaten financial stability and how companies and regulators are dealing with the problem.

“IBM X-Force Threat Intelligence Index 2017,” IBM, March 2017, http://tinyurl.com/ya636rj8. More than 4 billion hacked records were leaked during “the year of the mega breach” in 2016, and cyberattacks that year “had a discernible impact on real-world events,” according to IBM’s security services.

The Next Step

Military Innovation

Mehta, Aaron, “Pentagon tech advisers target how the military digests data,” Defense News, April 6, 2017, https://tinyurl.com/y9sekshr. The Pentagon is considering creating a central repository for its vast quantities of military data to remain ahead of the technological curve, after months of research determined that data management is key to innovation.

Popper, Ben, “A rebuke from the US army has DJI focused on improving security,” The Verge, Sept. 6, 2017, https://tinyurl.com/y9poss8l. The world’s most successful drone company has come under scrutiny recently over the security and privacy of the millions of photos, videos, and flight logs it collects. The Army will continue using the company’s equipment only if it passes a security check.

Porche, Isaac, “Reservists and the National Guard offer untapped resources for cybersecurity,” TechCrunch, April 18, 2017, https://tinyurl.com/ybhen6y7. The U.S. Army Reserves and National Guard have thousands of people with cyber experience who could be trained as information security professionals to better defend national security in cyber terrain, according to research by the RAND Corporation, a California-based think tank.

Private Industry

Bendix, Aria, “GOP Firm Exposed U.S. Voters’ Personal Data,” The Atlantic, June 20, 2017, https://tinyurl.com/ybkcnqh2. A marketing firm hired by the Republican National Committee accidentally made the personal information of almost every U.S. voter publicly accessible on the Amazon cloud server for two weeks in June, because the firm failed to password-protect the data.

Nakashima, Ellen, “Tech firm is fighting a federal demand for data on visitors to an anti-Trump website,” The Washington Post, Aug. 14, 2017, https://tinyurl.com/y8omsblt. DreamHost, a private tech firm, is fighting a Department of Justice demand for internet data on visitors to a website the firm hosts that coordinated protests against President Trump on Inauguration Day.

Vincent, James, “Ghostery has been bought by the developer of a privacy-focused browser,” The Verge, Feb. 15, 2017, https://tinyurl.com/y9ztbb5s. Cliqz, a German company that offers a browser focused on privacy protection, has acquired the anti-tracking and ad-blocking plug-in Ghostery to attract more international users, who will benefit from Germany’s strict data-protection laws.

Center for Internet Security31 Tech Valley Drive, East Greenbush, NY 12061 1-518-266-3460 https://www.cisecurity.orgcontact@cisecurity.org A nonprofit that works to protect public and private companies around the world from the threat of cyberattacks.